Wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was by mistake exposed to the Web, persuade fears that it may be used to target assailable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a snacks query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to break source code and obtain erratic code execution,' a CERT explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't in truth remove the vulnerability."